vbox-auth.dita@ 105303

Last change on this file since 105303 was 105303, checked in by vboxsync, 9 months ago
Docs: bugref:10705. More merging from docs team repo. Once again almost exclusively white space changes.
Property svn:eol-style set to `native` Property svn:keywords set to `Id Revision`
File size: 7.1 KB

Line
1	<?xml version='1.0' encoding='UTF-8'?>
2	<!DOCTYPE topic PUBLIC "-//OASIS//DTD DITA Topic//EN" "topic.dtd">
3	<topic xml:lang="en-us" id="vbox-auth">
4	<title>RDP Authentication</title>
5
6	<body>
7	<p> For each virtual machine that is remotely accessible using RDP, you can individually
8	determine if and how client connections are authenticated. For this, use the
9	<userinput>VBoxManage modifyvm</userinput> command with the
10	<codeph>--vrde-auth-type</codeph> option. See <xref href="vboxmanage-modifyvm.dita"
11	>VBoxManage modifyvm</xref>. The following methods of authentication are available: </p>
12	<ul>
13	<li>
14	<p>
15	The <b outputclass="bold">null</b> method means that
16	there is no authentication at all. Any client can connect to
17	the VRDP server and thus the virtual machine. This is very
18	insecure and only to be recommended for private networks.
19	</p>
20	</li>
21	<li>
22	<p>
23	The <b outputclass="bold">external</b> method
24	provides external authentication through a special
25	authentication library. <ph conkeyref="vbox-conkeyref-phrases/product-name"/> ships with two
26	special authentication libraries:
27	</p>
28	<ol>
29	<li>
30	<p>
31	The default authentication library,
32	<userinput>VBoxAuth</userinput>, authenticates against user
33	credentials of the hosts. Depending on the host
34	platform, this means the following:
35	</p>
36	<ul>
37	<li>
38	<p>
39	On Linux hosts, <userinput>VBoxAuth.so</userinput>
40	authenticates users against the host's PAM system.
41	</p>
42	</li>
43	<li>
44	<p>
45	On Windows hosts, <userinput>VBoxAuth.dll</userinput>
46	authenticates users against the host's WinLogon
47	system.
48	</p>
49	</li>
50	<li>
51	<p>
52	On macOS hosts, <userinput>VBoxAuth.dylib</userinput>
53	authenticates users against the host's directory
54	service.
55	</p>
56	</li>
57	</ul>
58	<p>
59	In other words, the external method by default performs
60	authentication with the user accounts that exist on the
61	host system. Any user with valid authentication
62	credentials is accepted. For example, the username does
63	not have to correspond to the user running the VM.
64	</p>
65	</li>
66	<li>
67	<p>
68	An additional library called
69	<userinput>VBoxAuthSimple</userinput> performs
70	authentication against credentials configured in the
71	<codeph>extradata</codeph> section of a virtual
72	machine's XML settings file. This is probably the
73	simplest way to get authentication that does not depend
74	on a running and supported guest. The following steps
75	are required:
76	</p>
77	<ol>
78	<li>
79	<p>
80	Enable <userinput>VBoxAuthSimple</userinput> with the
81	following command:
82	</p>
83	<pre xml:space="preserve">VBoxManage setproperty vrdeauthlibrary "VBoxAuthSimple"</pre>
84	</li>
85	<li>
86	<p>
87	To enable the library for a particular VM, you must
88	switch authentication to external, as follows:
89	</p>
90	<pre xml:space="preserve">VBoxManage modifyvm <varname>VM-name</varname> --vrde-auth-type external</pre>
91	<p>
92	Replace <varname>VM-name</varname> with the
93	VM name or UUID.
94	</p>
95	</li>
96	<li>
97	<p>
98	You then need to configure users and passwords by
99	writing items into the machine's extradata. Since
100	the XML machine settings file, into whose
101	<codeph>extradata</codeph> section the password
102	needs to be written, is a plain text file,
103	<ph conkeyref="vbox-conkeyref-phrases/product-name"/> uses hashes to encrypt passwords. The
104	following command must be used:
105	</p>
106	<pre xml:space="preserve">VBoxManage setextradata <varname>VM-name</varname> "VBoxAuthSimple/users/<varname>user</varname>" <varname>hash</varname>
107	</pre>
108	<p>
109	Replace <varname>VM-name</varname> with the
110	VM name or UUID, <varname>user</varname>
111	with the user name who should be allowed to log in
112	and <varname>hash</varname> with the
113	encrypted password. The following command example
114	obtains the hash value for the password
115	<codeph>secret</codeph>:
116	</p>
117	<pre xml:space="preserve">$ VBoxManage internalcommands passwordhash "secret"
118	2bb80d537b1da3e38bd30361aa855686bde0eacd7162fef6a25fe97bf527a25b</pre>
119	<p>
120	You then use <userinput>VBoxManage
121	setextradata</userinput> to store this value in the
122	machine's <codeph>extradata</codeph> section.
123	</p>
124	<p>
125	As a combined example, to set the password for the
126	user <codeph>john</codeph> and the machine
127	<codeph>My VM</codeph> to
128	<codeph>secret</codeph>, use this command:
129	</p>
130	<pre xml:space="preserve">VBoxManage setextradata "My VM" "VBoxAuthSimple/users/john"
131	2bb80d537b1da3e38bd30361aa855686bde0eacd7162fef6a25fe97bf527a25b</pre>
132	</li>
133	</ol>
134	</li>
135	</ol>
136	</li>
137	<li>
138	<p>
139	The <b outputclass="bold">guest</b> authentication
140	method performs authentication with a special component that
141	comes with the Guest Additions. As a result, authentication
142	is not performed on the host, but with the guest user
143	accounts.
144	</p>
145	<p>
146	This method is currently still in testing and not yet
147	supported.
148	</p>
149	</li>
150	</ul>
151	<p>
152	In addition to the methods described above, you can replace the
153	default external authentication module with any other module.
154	For this, <ph conkeyref="vbox-conkeyref-phrases/product-name"/> provides a well-defined interface that
155	enables you to write your own authentication module. This is
156	described in detail in the <ph conkeyref="vbox-conkeyref-phrases/product-name"/> Software Development
157	Kit (SDK) reference. See <xref href="VirtualBoxAPI.dita#VirtualBoxAPI"/>.
158	</p>
159	</body>
160
161	</topic>

Note: See TracBrowser for help on using the repository browser.

Download in other formats:

Original Format